Shape Analysis Overview

presented by

Greta Yorsh

Shape Analysis [Jones and Muchnick 1981]

• Program analysis to determine all possible shapes of the heap at every program point

• Applications– Compiler optimizations– Automatic verification

Programs and Properties

• Dynamically allocated memory (heap)

• Destructive updates• Recursive data structures• Recursive procedures• Concurrency

• Memory safety • Preservation of data

structure invariants• Partial correctness• Linearizability• Termination

Mark and Sweepvoid Mark(Node root) { if (root != null) { pending = pending = pending {root} marked = while (pending ) { x = SelectAndRemove(pending) marked = marked {x} t = x.left if (t NULL) and (t marked) pending = pending {t} t = x.right if (t NULL) and (t marked) pending = pending {t} } } assert marked = = Reachset(root)}

void Sweep() { unexplored = Universe collected = while (unexplored ) { x = SelectAndRemove(unexplored) if (x marked) collected = collected {x} }

}

v: marked(v) successor*(root,v)

assert collected == all – Reachset(root)

r . root(r) (p(r)m(r)) v . (m(v) p(v)) successor*(root,v) v . (p(v) m(v)) v, w . (m(v) m(w) p(w) successor(v, w))

5

Tel Aviv University(Sagiv)

University of Wisconsin

(Reps)

Universität des Saarlandes(Wilhelm)

MSRC

Queen Mary

IBM

Berkeley

Inria

MSRI

MSR

... and others ...

Parametric Shape Analysis via 3-valued Logic

LIAFA

Timeline: Shape Analysis

Parametric Shape Analysis via 3-valued Logic[Sagiv, Reps, Wilhelm POPL’99 ,TOPLAS’02]

1999 2001 2007

Verifying Concurrent Heap Manipulating Programs[Yahav et al, POPL’01]

Interprocedural andRecursive Programs[Rinetzky et al, CC‘01]

20052000 2003 2004 2006

Numerical Abstractions[Gopan et al, TACAS’04]

Logical Characterization of Heap Abstractions

2008

Verifying Linearizabilitywith Heap Decomposition[Manevich, Lev Ami et al, SAS’08, CAV’08]

Flow analysis and optimization of Lisp-like structures[Jones and Muchnick 1981]

1981

Analysis of pointers and structures

1990

A Local Shape Analysis Based on Separation Logic[Distefano et al, TACAS’06]

Verifying Linearizability[Amit et al, CAV’07]

Thread ModularShape Analysis[Gotsman et al, PLDI 07]Procedure

Local Heapsand cutpoints[Rinetzky et al,POPL’05]

TVLA[Lev Ami et al, SAS‘00]

2009

Applications

• Memory safety & preservation of data structure invariants [Dor SAS’00, Loginov ISSTA’08]

• Compile-time garbage collection [Shaham et al, SAS’03]• Correct API usage [Ramalingam at al PLDI’02, Yahav et al PLDI’04]• Typestate verification [Yahav et al, ISSTA’06]• Sorting implementations [Lev-Ami ISTTA’00, Rinetzky SAS’05]• Deutsch-Shorr-Waite [Loginov et al, SAS’06]• Linearizability [Amit et al, CAV’07, Manevich at al, SAS’08,CAV’08]• Device drivers [ Yang et al, CAV’08]

Outline

• Shape abstractions in a nutshell• Computing transformers• Challenges in shape analysis

Concrete Stores as Logical Structures

7 26

24

2 64

44

5 80

64

1 80

64

7 0

80

24x

64p

stack heap

3 44

26

xn n n n

p

n

Concrete Stores as Logical Structures

• Locations Individuals• Program variables Unary relations• Fields Binary relations

• Instrumentation predicates defined in FOTC v . rp (v) w. p(w) n*(w,v)

xn n n n

p

n

rprprp

Canonical Abstraction

xn n n n

p

n rprp

rp

Canonical Abstraction

n n n

xn n n n

p

n

x

p

n n

n n n n n rprprp

rprp

• Abstract stores are 3-valued logical structures• {0, 1, ½} values for relations with 0 1 = 1/2

Canonical Abstraction with Reachability

xn n n n

p

n rprp

rp

n n

n

p

x

n

rprp

Canonical Abstraction without Reachability

n n

xn n n n

p

n

x

p

n

n n n n n

p

x

... ...

Logical Characterization in FOTC [Yorsh’03] [Kuncak’04] [Wies’07 ]

v: ( x(v) p(v)rp(v)) (x(v) p(x)rp(v)) (x(v) p(v) rp(v)) (x(v) p(v) rp(v)))

n n

n

p

x

n

rx,rp,

shared

rx,rprxrx

v, w. x(v) p(v)rp(v) x(w)p(w)rp(w) n(v, w)

v . shared (v) v1,v2. n(v1,v) n(v2,v) v1=v2 v . rp(v) w . p(w) n*(w, v)

Logical Characterization in Separation Logic

v, w . x v lseg(v,p) p w lseg(w,null)

n n

n

p

x

n

rx,rp,

shared

lseg(x,y) = v . x v (y = v emp lseg(v,y) )

rx,rprxrx

Canonical Abstraction

• Limited form of quantified invariants– quantifier alternation only in instrumentation

• Not a static memory partition– The same memory location can be represented by

different abstract nodes in different shape graphs

xy

Non-Static Partition

yx

y

x

y

x

x = xn

Outline

Shape Abstractions in the nutshell• Computing abstract transformers• Challenges in shape analysis

yx

y

x

yx

yx ...

xy

y

x

...

xy

Best Transformer

concretization

concrete semantics

canonical abstraction

x = xn

yx

y

x

yx

yx

xy

y

x

...

xy

Transformer using Partial Concretization

partialconcretization

concrete semantics

canonical abstraction

x = xn

yx

y

xxy

Symbolic Transformer

symbolicconcretization

concrete semantics

decision procedure

foo() foo

Partial Concretization• Temporarily refine the abstract domain per statement

• Employed in other shape analysis algorithms [Distefano, TACAS’06, Evan, SAS’07, POPL’08]

• Soundness is immediate• Precision depends on the heap mutation– Locality– Uniformity

• Can even guarantee precision under certain conditions [Lev-Ami, VMCAI’07]

Challenges in shape analysis

• Programming language features– Procedures– Modularity and encapsulation– Concurrency

• Properties• Complex data structures– Hierarchy– Mixture of data and heap– Array of heaps

• Scaling to larger programs

Handling Procedures

• Complicated sharing patterns [Rinetzky, CC’01]• Relational shape analysis [Jeannet, SAS’04]• New semantics for procedures (Cutpoints)

[Rinetzky, POPL’05]• Tabulation for cutpoint free programs

[Rinetzky, SAS’05]• Handling cutpoints [Gotsman, SAS’06]

Concurrency

• Models threads as ordinary objects [Yahav, POPL’01]• Thread-modular shape analysis [Gotsman, PLDI’07]• Heap decomposition and thread quantification

[Manevich et al SAS’08, CAV’08]• Enforcing a locking regime [Rinetzky]

Handling Larger Programs ?

• Staged analysis • Specialized abstractions

– Counterexample guided refinement• Coercer abstractions

– Weaker summary nodes [Arnold, SAS’06]– Special join operator [Manevich, SAS’04, TACAS’07, Yang’08] – Heterogeneous abstractions [Yahav, PLDI’04]

• Implementation techniques– Optimizing transformers [Bogodlov, CAV’07]– Optimizing GC– Reducing static size– Partial evaluation– Persistent data structures [Manevich, SAS’04]– …

Conclusion• Limited forms of quantified invariants can prove

interesting properties• Partial concretization is useful for transformers• Scaling shape analysis is still an open problem

• Like a Swiss army knife or a Unix utility– Only for experts– ... but at least it’s very useful to them